Spam Protection

Form Plant provides layered spam protection. Combine multiple defenses rather than relying on a single mechanism.

You don't need to enable everything at once. Lightweight protections (Honeypot and time-based check) are active by default, so out of the box you already get some level of protection. Add reCAPTCHA or Turnstile incrementally as spam volume grows.

Available Protections

1. Honeypot

A decoy field invisible to humans but visible to bots. Form Plant additionally obfuscates the field name so bots can't easily distinguish it from a real field, reducing both bot success and false positives.

No configuration needed
On by default

2. Time-Based Check

Measures how long it took to submit the form and rejects submissions that are unrealistically fast for a human.

Configurable minimum submission time (e.g. 3 seconds)

3. IP Rate Limiting

Throttles repeated submissions from the same IP address — effective against burst-style spam bots.

Configurable submission count limit per time window

4. Disposable Email Domain Blocking

Blocks submissions whose email domain is on a bundled list of disposable email services.

No external requests — the list is bundled and runs locally
Source: disposable-email-domains (CC0 1.0)

5. Google reCAPTCHA v2 / v3

Both checkbox-style (v2) and score-based (v3) are supported.

Version	User Interaction	Notes
v2 Checkbox	"I'm not a robot" checkbox	Strong, but visible step
v3 Score-based	None	Preserves UX

Requires a Google reCAPTCHA Site Key and Secret Key (https://www.google.com/recaptcha/)
Loads Google's reCAPTCHA JavaScript on form pages when enabled
Sends submission tokens to Google for evaluation
The visitor's IP address and browser info are sent to Google — disclose this in your privacy policy

6. Cloudflare Turnstile

A lighter alternative to reCAPTCHA, requiring only a Cloudflare account.

Requires a Cloudflare Site Key and Secret Key (https://www.cloudflare.com/products/turnstile/)
Loads Cloudflare's Turnstile JavaScript when enabled
Sends tokens to Cloudflare for verification

Recommended Rollout

Do nothing — default Honeypot + time check already block lightweight bots
Add disposable email blocking — no external traffic, just toggle on
Add IP rate limiting — when you see burst-style submissions
Add reCAPTCHA v3 or Turnstile — when sophisticated spam appears

Where to Configure

WordPress admin → Form Plant → (your form) → Form Settings → Spam Protection.

Privacy Notes

When reCAPTCHA or Turnstile is enabled, visitor data is sent to Google or Cloudflare respectively. Update your site's privacy policy to mention:

The third-party service in use
Data sent (IP address, browser info, behavioral signals)
Links to each service's privacy policy

If both reCAPTCHA and Turnstile are disabled, no external traffic to Google or Cloudflare is generated by Form Plant.

Available Protections​

1. Honeypot​

2. Time-Based Check​

3. IP Rate Limiting​

4. Disposable Email Domain Blocking​

5. Google reCAPTCHA v2 / v3​

6. Cloudflare Turnstile​

Recommended Rollout​

Where to Configure​

Privacy Notes​